ISO 27001:2022 Clause 6.1: Actions to Address Risks and Opportunities

ISO27001-2022 Clause 6.1 Actions to Address Risks and Opportunities

The Definitive Governance Requirement.

Clause 6.1 mandates that you determine the risks and opportunities that need to be addressed to ensure the ISMS can achieve its intended outcome. This is the engine room of the standard. Without a rigorous, evidence-based risk assessment, your security controls (Annex A) are arbitrary and indefensible.

The Mandate

The standard does not permit you to implement security controls based on “gut feeling” or “best practice.” You must implement controls based on Risk.

Clause 6.1 requires a linear, mathematical progression:

  1. Context Integration: You must address the issues identified in Clause 4.1 and the requirements in Clause 4.2.
  2. Assessment (6.1.2): You must establish and maintain information security risk assessment criteria. You must identify risks, analyze them (Likelihood × Impact), and evaluate them against your acceptance criteria.
  3. Treatment (6.1.3): You must define how you will handle those risks. Will you Mitigate, Transfer, Accept, or Avoid them?

The Verdict: If you cannot produce a methodology that explains how you calculated a risk score, you are non-compliant. A spreadsheet of random numbers is not a methodology.

The Implementation Strategy

Do not confuse “Risk Management” with “Worrying.” This is a structured discipline.

  1. Define the Methodology: Before you assess a single server, define your rules. What is “High Impact”? Is it £1M loss? Is it 4 hours of downtime? Define the parameters.
  2. Asset-Based or Scenario-Based: Choose your weapon. Asset-based (What threats hit this laptop?) is thorough but slow. Scenario-based (What happens if we get ransomed?) is faster and often more strategic.
  3. The Statement of Applicability (SoA): This is the output of 6.1.3. You must compare your necessary controls against Annex A and verify that no necessary controls have been omitted.
  4. The Risk Treatment Plan: For every risk above your tolerance, you need a plan. Who is fixing it? When? With what budget?

The Auditor’s Trap

[The Auditor’s View] The most common Major Non-Conformance here is “The Disconnected Control.” I often see companies implement complex firewalls because “it’s good security,” but their Risk Assessment shows no risk requiring it. Conversely, I see High Risks in the register with “Accept” listed, but no sign-off from the Board. You cannot accept a High Risk at the IT Manager level. That is Board jurisdiction.

Required Evidence

This clause generates the most paperwork in the entire audit. Your evidence must be impeccable.

  • Risk Management Methodology: The rulebook for how you assess risk.
  • Risk Register: The database of identifying risks, their scores, and owners.
  • Risk Treatment Plan (RTP): The project plan for mitigating risks.
  • Statement of Applicability (SoA): The definitive list of which Annex A controls apply to you.
  • Risk Owners: Named individuals responsible for specific risks.

Strategic Acceleration

Building a risk methodology from scratch is a mathematical minefield. If your formula is wrong, every decision you make is wrong.

The Hightable™ Risk Management Framework is pre-calibrated. It provides the methodology, the calculator, and the reporting tools to turn “Guesswork” into “Governance.”

The Next Move: Deploy the Risk Framework